Safeguard your identity and password.

Some services and data you access are private or sensitive. Nobody should access or change your email, files, class schedules, medical history, budget, research data, or grades but you. Access to those services are authorized based on your identity. Your password is your proof of your identity. When passwords are comrpomised, the criminal takes on your identity and can do anything you can do (and perhaps even more!).

Passwords may be compromised by any of a number of methods. Here they are in relative order of frequency along with the things you can do to decrease risk.

You give them to criminals who fooled you with a "phishing" message or fake web site.

This is probably the most common way passwords are compromised. It is up to you to determine if an email message or web site is real. Unfortunately, in this day and age that can be difficult. Still, some basic practices and tells can be used to validate most JMU email messages and web sites.  

• Learn how to avoid fake e-mail and web sites and protect both your JMU and personal accounts. View the video and take the IsItReal? game challenge.
  •  Look Where You're Going - hover over email links to make sure they're pointing to a domain associated with the message. For JMU, that would almost always be jmu.edu. For non-JMU messages, you'll need to acquant yourself with the organizations' official web sites and domains. Online tools can help. If in doubt, don't click.
    
  • Look Where You're At - if you click a link and get to a web site, look at the browser address bar and make sure it displays a domain associated with the organization you think you're dealing with. For JMU, that would almost always be jmu.edu. For non-JMU organizations, you'll need to acquaint yourself with the organizations' official web sites and domains. Online tools can help. If in doubt, close the browser.
    

Criminals break into one of your service providers and steal them in bulk.

There isn't a lot you can do about a failure of security at one of your service providers but you can limit losses.

Generally, the provider protects the stored secrets with cryptography but can they can still be cracked given enough time.  And if the intruder isn't detected, they're free to gather unprotected passwords as they pass through the service in real time for as long as they maintain control.

• Strong passwords stay secret longer than weak ones.

If you use the same password on multiple sites, a security failure by one site may allow the criminal to access your other sites.  

• Using a unque password for each service, or at least for each level of service (e.g. financial/medical vs youtube/facebook) will limit the spread of damage from one service to another.

You type them into a compromised device.

The device may be your own virus infected computer or someone else's device. The device may be set up purposely to collect passwords or may inadvertently store them...sometimes at our behest (e.g. "Would you like to remember this password?").

• Follow StartSafe procedures to set up a device with the best chance of fending off compromises and follow RUNSAFE operating advice to help keep them that way.
• Refrain from typing passwords into unknown or shared devices.

You use vulnerable communications links or protocols.

For example, a poorly configured wireless network or a service like FTP, Telnet, or even HTTP with no S (i.e. HTTPS).

• Set up your wireless network according to present day best practices (WPA2) using strong secrets.
• Refrain from typing passwords to critical accounts through unknown wireless networks unless you are using a VPN. Even then, beware of browser security warnings (e.g. certificate mismatch) and cease use if they appear.
• Use only web sites that protect passwords and sensitive data with SSL encryption. These sites can usually be identified by their address starting with https and a browser lock icon. However, some sites may secure their login with SSL in other ways and it won't be apparant. Likewise, some sites may show https and a lock icon but pass data unsecurely. The technical details about the exceptions are beyond the scope of end user training.
• Do not use FTP sites that require a password. Responsible, professionally run sites use secure FTP (FTPS, SFTP),  SCP, HTTPS, or similar protocols to pass passwords and other sensitive data when performing file transfers.

You choose a password that is easy to guess or use a password reset mechanism that is easy for a criminal to use.

For example, if you can reset your password with a secret question like "What color is my favorite sweater", how many times do you think it will take a criminal to guess the right color? Using public information for the answer to a secret question is similarly ineffective as a security measure.

• Choose password reset "secret questions and answers" carefully. Make up nonsensical answsers. Remember - the answers to most "secret questions" violate almost all accepted security practices for passwords. And they're often shared with several service providers.

What to do if your password is compromised

Your mailbox may be full of spam, bounced messages, and angry responses and threats from those who received spam and criminal mail from your account. They may have read or deleted everything you've sent in the past month. But that may be the least of the problems.

• Go through the Account Recovery steps at https://secureweb.jmu.edu/computing/security/accountrecovery.shtml

Choose a Strong Password

Passwords are the combination locks used to protect our computer accounts. It goes without saying that giving out our combination or leaving the lock unlatched (i.e. walking away from a logged on computer), compromises our security. However, technology provides ways for people to obtain our combination even if we aren't careless. To thwart such misuse, we must choose complex combinations. There are three elements to a complex combination:

1. It can't be obvious. That is, it can't exist in an attack dictionary.
   • Every word in an English language dictionary can be tried in minutes. Attack dictionaries also include names, common misspellings, words with numbers, and other commonly used passwords. You also don't want the password to have any personal significance to you...your dog's name for example. Using a dictionary word for a password is like using a locker number for a combination.
2. It can't be a short
   • A combination lock with a two number combination wouldn't protect very well. Anything less than an eight character password is like having a such a combination. It simply won't hold up for long. A minimum of ten characters is recommended.
3. It can't be made up of just a few characters
   • A combination lock with only ten numbers on the dial isn't as effective as one with fifty. Using just lower case letters is like limiting a combination lock to ten numbers. A mix of characters generally makes the password stronger.
     
     • Uppercase letters ( A-Z )
     • Lowercase letters ( a-z )
     • Numbers ( 0-9 )
     • Punctuation  marks ( !@#$%^&*()_+=- ) etc.

   Different systems have different capabilities. Some will not let you use all the strength features mentioned here. When you get an account or change your password on a system, you should be given instructions on any limitations.

How, you may ask, am I ever going to remember such a complicated password? 

• Pick a sentence that reminds you of the password. For example:
  • if my car makes it through 2 semesters, I'll be lucky (imcmit2s,Ibl)
  • only Larry Ellison could afford this $70.00 textbook (oLEcat$7t)
  • What time is my accounting class in Showker 240? (WtimaciS2?) 
• If you absolutely have to, record it in a secure location. It's probably safer to store a strong password in a place where someone would have to physically break in than to expose a service protected by a weak password to a billion people around the world on the Internet. Just don't write down "This is my banking password".

Replace Your Strong Password When It Wears Out

One of the most unpopular security recommendations, after choosing hard to remember passwords, is the one that asks us to throw away those passwords after we finally get to the point where we can remember them. 

If our ATM card gets stolen we know it. If our keys get stolen, we'll probably miss them before someone manages to copy and return them. Unlike keys or ATM cards, passwords don't have to be physically taken to be copied or used and it is unlikely we'll know they've been compromised. Once they're compromised, they can be transferred all over the world in the blink of an eye. Until someone uses the password, we won't know it. Most of us won't even know it even when they're used unless some fairly drastic action is taken with our account(s).

While our passwords are usually protected with cryptography and are often inaccessible, there are circumstances, sometimes beyond our control, when they are available either over the network or on a system.

Even when protected with cryptography, we're gambling somewhat if the password is accessible. While it may take five years to do an exhaustive search through all the possible combinations using the latest encryption scheme there are some practical points to remember:

• Modern computers and methods can crack passwords extremely fast.
• If we don't follow the rules about strong passwords, modern tools and methods will likely crack it in very little time. Passwords that exist in dictionaries used for attack lookups are often cracked in hours and sometimes in as little as seconds. The tools are programmed to try the things that experience has shown people pick for their passwords.
• Even if we choose a strong password forcing the tool to do an exhaustive search of all possible combinations, perhaps even 10¹⁰⁰  of them, it is not impossible that a random guess will get it right on the first try, or in the first hour, or the first day.
• Computers don't get tired of trying. If someone has our encrypted password in hand, or if they can continually try logging in to our system without locking the account, they can sleep while their computer continues to chug along making guess after guess.
  
• People make mistakes. They sometimes type their password on the wrong computer, the wrong screen, or the wrong program. Administrators make mistakes. Security folks make mistakes. Everybody makes mistakes. All it takes is once. 
• Software is not perfect. Some programs don't use the latest cryptographic protection. Some use none at all. 
• Networks are not perfect. Some systems are more secure than others. Passwords get reused and/or passed around.

Lots of things can result in the compromise of a password. If that password protects a lot of things or if it protects things that are important, isn't it worth the trouble to rejuvenate it once in a while by changing it?